Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
bksol92
Staff
Staff

Created on ‎03-24-2024 11:41 PM Edited on ‎03-24-2024 11:42 PM By Community Manager

Article Id 306307

Technical tip: The task limit for asynchronous log searches in FortiAnalyzer

 

Description This article discusses the task limit for asynchronous log searches in FortiAnalyzer.
Scope FortiAnalyzer v7.2.4 and above
Solution

In one user session, a new task is generated when a log search is performed in FortiAnalyzer GUI, or via API. There is a limit to the amount of tasks generated for log searches performed:

 

Tiara-kvm12 # dia test app fazsvcd 4

Slot total=128 inuse=0

 

Starting from v7.2.4 and above, the amount of tasks generated from asynchronous log searches is 128:

 

Tiara-kvm12 # dia test app fazsvcd 4
00: reqid=2021720192 lass-access=4s(ago) clt-lass-access=4s(ago) fetch=0 cancelled=0 complete=55s(ago) errcode=0 ready=1 thr-mode=standby
01: reqid=1836581121 lass-access=4s(ago) clt-lass-access=4s(ago) fetch=0 cancelled=0 complete=55s(ago) errcode=0 ready=1 thr-mode=standby
02: reqid=1820328322 lass-access=4s(ago) clt-lass-access=4s(ago) fetch=0 cancelled=0 complete=54s(ago) errcode=0 ready=1 thr-mode=standby
---

125: reqid=496123773 lass-access=13s(ago) clt-lass-access=19807d4h54m39s(ago) fetch=0 cancelled=0 complete=13s(ago) errcode=0 ready=1 thr-mode=standby
126: reqid=791101438 lass-access=13s(ago) clt-lass-access=19807d4h54m39s(ago) fetch=0 cancelled=0 complete=13s(ago) errcode=0 ready=1 thr-mode=standby
127: reqid=430522495 lass-access=13s(ago) clt-lass-access=19807d4h54m39s(ago) fetch=0 cancelled=0 complete=13s(ago) errcode=0 ready=1 thr-mode=standby

Slot total=128 inuse=128

 

A Python script is attached here to test this limit (logsrch.py); the following screenshot shows the number of active tasks in one API session:

 

Output from an API script when the task limit is reachedOutput from an API script when the task limit is reached

 

Once the limit is reached, the FortiAnalyzer will return the following error:

 

internal-error.PNG

 

This will also affect log searches done on the GUI:

 

dia de app fazsvcd 8

dia de en
_get_logs:1827: _get_logs debug info:
retc=-9 adom_prefix: FSFADOM3-FAZ, dev_type: 7 (FAZ), logtype: 5 (e), subtype: -1, count_limit=-1, logs_per_page=50, start_line=0, log_num=50
kw: itime>=1711339254 itime<=1711342853
handle_client_request:220: jsonapi response={ "retcode": -9, "error": "No available slot for searching", "jsonrpc": "1.0", "id": 1013 }.

 

Note:

The limit is only 64 in v7.2.3 and below.

 

Preview file
3 KB
103
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.